Passcodes: An answer to phish fright

Often, online anonymity makes for online mischief. In the US, a disgruntled employee recently used his boss's username and password to log on to an Internet listing service and sneakily put his house up for sale.

What should the boss have done - not used the Internet? Sacked the disgruntled fellow well in advance? Practiced McGregor's Theory Y?

None of the above. He should've used a website that employs stringent security tools. These exist, and recognise that primitive password systems do little but deter mischief by cyberookies. For cyber-junkies, stealing a password is easier than picking a drunk's pocket. It's called "phishing", and even sounds cute to some people.

Welcome, therefore, the arrival of passcodes. "These, simply put, are passwords in numerical format - 10 digits or longer - that promise a secure passage as they are difficult to predict but hard to remember," says Srikiran Raghavan, regional head, sales, RSA Security.

It works like this. You carry a digital device (keychain-like token) that generates and displays a new unique random passcode every 60 seconds.

Now, at a website, if you glance at your token and input the passcode along with your secret Personal Identification Number, the website will run an instant two-factor authentication, and wave you in.

If some rogue phishes your data and tries using it later, he'll be nabbed (or at least blocked), for the passcode would have changed by then.

Major websites are already going for it globally. "RSA Security has implemented a similar token-based solution for AOL's premium users who would prefer a level of security even if that involves an extra cost," says Raghavan.

AOL users are guarding their personal effects stored on the Internet. But it's financial institutions that Raghavan feels could benefit the most from the technology - given that banking customers are so stricken with phish-fright.

"When one bank starts offering it, customers of other banks are likely to ask, 'why are we not getting this layer of security?' surmises Raghavan, who considers it a strong marketing tack.

"We see strong authentication becoming widely adopted in a number of verticals, including financial services, healthcare institutions and higher education," says Shlomi Yanai, vice-president, Aladdin eToken Business Unit, another player. According to him, increased compliance with regulatory norms will prod adoption too.

Will the cost be a deterrent?

Not to the mind of Souma Das, area vice-president, Citrix India, which implements such solutions. He says passcode technology is easy to integrate with legacy computer systems. There might even be savings, he adds, in terms of cost reduction on forgotten passwords and help desk operations.

But another implementer, Rajendra Dhavale, consulting director, Computer Associates, India and SAARC, worries about the cost of the backup systems and tokens, apart from the rigmarole of handing them out to customers and then ensuring quick replacements too.